Modern computer systems typically provide some type of virtual address mechanism. As is known in the art, each individually-accessible unit of memory associated with a computer system has a physical address that uniquely identifies that unit of memory. However, in a computer system that supports virtual addressing, it is possible to assign virtual addresses to the physical locations. The virtual address system uses a translation map to translate the virtual address into a physical address.
One feature of a virtual addressing system is that it is possible to configure the address translation maps such that certain sets of physical address (e.g. pages of physical memory) does not have any virtual address. In a typical page-based memory management scheme, the address translation map translates virtual page descriptors into physical page frame numbers. Thus, all of the locations in a given physical page frame can be denied virtual addresses by ensuring that the address translation map does not lead to that page frame. More generally, many virtual addressing schemes tag virtual addresses with accesses that can be performed through the virtual address (e.g. read, read/write); selected accesses to a page (e.g. writes) can be prevented by ensuring that no virtual address mapping to the page allows the denied access. This facet of the address translation map can be used to implement a form of memory protection. Thus, a software object (e.g., an operating system, an application level process, or any other type of software object) can be denied access to a page of the physical address space by ensuring that any map exposed to that software object is in such a state that no virtual address mapping to the page in question permits the access. This type of memory protection scheme is particularly useful in the IA32 family of processors (e.g., the INTEL x86 processors), because the architecture of the INTEL x86 processors is such that when operating in protected mode (the processor's normal operating state), all memory access requests go through virtual address translation. A memory protection scheme that works by prohibiting supervisor-mode programs from modifying translation tables in a manner that would permit certain access to certain physical addresses is referred to as “Address Translation Control,” or ATC.
In typical architectures (like the x86), the translation from virtual to physical addresses is given by the contents of ordinary memory pages (so-called “page map” pages). This is convenient for writing operating systems, because virtual address maps can be created and modified by ordinary memory operations. If the operating system is to be confined using ATC, then ATC must prevent the operating system from having a mapping that allows it to write directly into page map pages, since the operating system could use writes to such pages to create mappings giving it arbitrary access to arbitrary physical memory pages. Thus, in addition to preventing read-write mappings to pages that the software object is not allowed to write, ATC has to prevent “unsafe” maps that include read-write mappings to page map pages.
While memory isolation by ATC is effective, one problem that arises is how to deal with write requests that create unsafe maps but do not themselves violate the access control policy. One way to deal with such a write request is for the request simply to fail; however, this would require substantial revision to the operating system. Thus, some current ATC algorithms modify either the written value (e.g. to change a read-write mapping to a page map page to a read-only mapping) or modify other page map pages to make the map safe. The problem with this technique is that the software object will execute the write request believing that a specified value is being written to the target location when, in fact, that location will end up containing a different value. This discrepancy can reverberate in various ways—e.g., a software object may generate a checksum based on the values that the software thinks have been stored, and these checksums will not validate against the modified value generated by the ATC system.
A benefit of one embodiment of the present invention is to provide an environment where writes that create unsafe maps (but obey the security policy) appear to succeed unmodified (from the standpoint of the software object), but where the resulting maps cannot be exploited to circumvent the security policy, thereby overcoming the drawbacks of the prior art.